Zum Inhalt springen
The App Fair Project
Dokumentation Blog Apps

dma

3 Beiträge mit dem Stichwort „dma“

What We Talk About When We Talk About Sideloading

- 6 min Lesezeit - 1197 Wörter

This is a cross-posting of an article I wrote for the F-Droid blog at: https://f-droid.org/en/2025/10/28/sideloading.html. As well as managing the App Fair Project, I also serve on the F-Droid board of directors.

We recently published a blog post with our reaction to the new Google Developer Program and how it impacts your freedom to use the devices that you own in the ways that you want. The post garnered quite a lot of feedback and interest from the community and press, as well as various civil society groups and regulatory agencies.

In this post, I hope to clarify and expand on some of the points and rebut some of the counter-messaging that we have witnessed.

Google’s message that “Sideloading is Not Going Away” is clear, concise, and false

Section titled “Google’s message that “Sideloading is Not Going Away” is clear, concise, and false”

Shortly after our post was published, Google aired an episode of their Android Developers Roundtable series, where they state unequivocally that “sideloading isn’t going anywhere”. They follow-up with a blog post:

Does this mean sideloading is going away on Android? Absolutely not. Sideloading is fundamental to Android and it is not going away.

This statement is untrue. The developer verification decree effectively ends the ability for individuals to choose what software they run on the devices they own.

It bears reminding that “sideload” is a made-up term. Putting software on your computer is simply called “installing”, regardless of whether that computer is in your pocket or on your desk. This could perhaps be further precised as “direct installing”, in case you need to make a distinction between obtaining software the old-fashioned way versus going through a rent-seeking intermediary marketplace like the Google Play Store or the Apple App Store.

Regardless, the term “sideload” was coined to insinuate that there is something dark and sinister about the process, as if the user were making an end-run around safeguards that are designed to keep you protected and secure. But if we reluctantly accept that “sideloading” is a term that has wriggled its way into common parlance, then we should at least use a consistent definition for it. Wikipedia’s summary definition is:

the transfer of apps from web sources that are not vendor-approved

By this definition, Google’s statement that “sideloading is not going away” is simply false. The vendor — Google, in the case of Android certified devices — will, in point of fact, be approving the source. The supplicant app developer must register with Google, pay a fee, provide government identification, agree to non-negotiable (and ever-changing) terms and conditions, enumerate all their current and future application identifiers, upload evidence of their private signing key, and then hope and wait for Google’s approval.

What this means for your rights

Section titled “What this means for your rights”

You, the consumer, purchased your Android device believing in Google’s promise that it was an open computing platform and that you could run whatever software you choose on it. Instead, starting next year, they will be non-consensually pushing an update to your operating system that irrevocably blocks this right and leaves you at the mercy of their judgement over what software you are permitted to trust.

You, the creator, can no longer develop an app and share it directly with your friends, family, and community without first seeking Google’s approval. The promise of Android — and a marketing advantage it has used to distinguish itself against the iPhone — has always been that it is “open”. But Google clearly feels that they have enough of a lock on the Android ecosystem, along with sufficient regulatory capture, that they can now jettison this principle with prejudice and impunity.

You, the state, are ceding the rights of your citizens and your own digital sovereignty to a company with a track record of complying with the extrajudicial demands of authoritarian regimes to remove perfectly legal apps that they happen to dislike. The software that is critical to the running of your businesses and governments will be at the mercy of the opaque whims of a distant and unaccountable corporation. Monocultures are perilous not just in agriculture, but in software distribution as well.

As a reminder, this applies not just to devices that exclusively use the Google Play Store: this is for every Android Certified device everywhere in the world, which encompasses over 95% of all Android devices outside of China. Regardless of whether the device owner prefers to use a competing app store like the Samsung Galaxy Store or the Epic Games Store, or a free and open-source app repository like F-Droid, they will be captive to the overarching policies unilaterally dictated by a competing corporate entity.

The place of greater safety

Section titled “The place of greater safety”

In promoting their developer registration program, Google purports:

Our recent analysis found over 50 times more malware from internet-sideloaded sources than on apps available through Google Play.

We haven’t seen this recent analysis — or any other supporting evidence — but the “50 times” multiple does certainly sound like great cause for distress (even if it is a surprisingly round number). But given the recent news of “224 malicious apps removed from the Google Play Store after ad fraud campaign discovered”, we are left to wonder whether their energies might better be spent assessing and improving their own safeguards rather than casting vague disparagements against the software development communities that thrive outside their walled garden.

In addition, other recent news of over 19 million downloads of malware from the Play Store leads us to question whether the sole judgement of a single corporate entity can be trusted to identify and assess malware, especially when that judgement is clouded by commercial incentives that may not align with the well-being of their users.

What can be done?

Section titled “What can be done?”

Google has been facing public outcry against their heavy-handed policies for a long time, but this trend has accelerated recently. Last year they crippled ad-blockers in Chrome and Chromium-based browsers by forcing through their unpopular “manifest v3” requirement for plugins, and earlier this year they closed off the development of the Android Open Source Project (AOSP), which is how they were able to clandestinely implement the verification infrastructure that enforces their developer registration decree.

Developer verification is an existential threat to free software distribution platforms like F-Droid as well as emergent commercial competitors to the Play Store. We are witnessing a groundswell of opposition to this attempt from both our user and developer communities, as well as the tech press and civil society groups, but public policymakers still need to be educated about the threat.

To learn more about what you can do as a consumer, visit keepandroidopen.org for information on how to contact your representative agencies and advocate for keeping the Android ecosystem open for consumers and competition.

If you are an app developer, we recommend against signing yourself up for Google’s developer registration program at this time. We unequivocally reject their attempt to force this program upon the world.

Over half of all humankind uses an Android smartphone. Google does not own your phone. You own your phone. You have the right to decide who to trust, and where you can get your software from.

Free App Stores and Google's Developer Registration Decree

- 6 min Lesezeit - 1147 Wörter

This is a cross-posting of an article I wrote for the F-Droid blog at: https://f-droid.org/en/2025/09/29/google-developer-registration-decree.html. As well as managing the App Fair Project, I also serve on the F-Droid board of directors.

For the past 15 years, F-Droid has provided a safe and secure haven for Android users around the world to find and install free and open source apps. When contrasted with the commercial app stores — of which the Google Play store is the most prominent — the differences are stark: they are hotbeds of spyware and scams, blatantly promoting apps that prey on their users through attempts to monetize their attention and mine their intimate information through any means necessary, including trickery and dark patterns.

F-Droid is different. It distributes apps that have been validated to work for the user’s interests, rather than for the interests of the app’s distributors. The way F-Droid works is simple: when a developer creates an app and hosts the source code publicly somewhere, the F-Droid team reviews it, inspecting it to ensure that it is completely open source and contains no undocumented anti-features such as advertisements or trackers. Once it passes inspection, the F-Droid build service compiles and packages the app to make it ready for distribution. The package is then signed either with F-Droid’s cryptographic key, or, if the build is reproducible, enables distribution using the original developer’s private key. In this way, users can trust that any app distributed through F-Droid is the one that was built from the specified source code and has not been tampered with.

Do you want a weather app that doesn’t transmit your every movement to a shadowy data broker? Or a scheduling assistant that doesn’t siphon your intimate details into an advertisement network? F-Droid has your back. Just as sunlight is the best disinfectant against corruption, open source is the best defense against software acting against the interests of the user.

Google’s move to break free app distribution

Section titled “Google’s move to break free app distribution”

The future of this elegant and proven system was put in jeopardy last month, when Google unilaterally decreed that Android developers everywhere in the world are going to be required to register centrally with Google. In addition to demanding payment of a registration fee and agreement to their (non-negotiable and ever-changing) terms and conditions, Google will also require the uploading of personally identifying documents, including government ID, by the authors of the software, as well as enumerating all the unique “application identifiers” for every app that is to be distributed by the registered developer.

The F-Droid project cannot require that developers register their apps through Google, but at the same time, we cannot “take over” the application identifiers for the open-source apps we distribute, as that would effectively seize exclusive distribution rights to those applications.

If it were to be put into effect, the developer registration decree will end the F-Droid project and other free/open-source app distribution sources as we know them today, and the world will be deprived of the safety and security of the catalog of thousands of apps that can be trusted and verified by any and all. F-Droid’s myriad users will be left adrift, with no means to install — or even update their existing installed — applications. (How many F-Droid users are there, exactly? We don’t know, because we don’t track users or have any registration: “No user accounts, by design”)

The Security Canard

Section titled “The Security Canard”

While directly installing — or “sideloading” — software can be construed as carrying some inherent risk, it is false to claim that centralized app stores are the only safe option for software distribution. Google Play itself has repeatedly hosted malware, proving that corporate gatekeeping doesn’t guarantee user protection. By contrast, F-Droid offers a trustworthy and transparent alternative approach to security: every app is free and open source, the code can be audited by anyone, the build process and logs are public, and reproducible builds ensure that what is published matches the source code exactly. This transparency and accountability provides a stronger basis for trust than closed platforms, while still giving users freedom to choose. Restricting direct app installation not only undermines that choice, it also erodes the diversity and resilience of the open-source ecosystem by consolidating control in the hands of a few corporate players.

Furthermore, Google’s framing that they need to mandate developer registration in order to defend against malware is disingenuous because they already have a remediation mechanism for malware they identify on a device: the Play Protect service that is enabled on all Android Certified devices already scans and disables apps that have been identified as malware, regardless of their provenience. Any perceived risks associated with direct app installation can be mitigated through user education, open-source transparency, and existing security measures without imposing exclusionary registration requirements.

We do not believe that developer registration is motivated by security. We believe it is about consolidating power and tightening control over a formerly open ecosystem.

The Right to Run

Section titled “The Right to Run”

If you own a computer, you should have the right to run whatever programs you want on it. This is just as true with the apps on your Android/iPhone mobile device as it is with the applications on your Linux/Mac/Windows desktop or server. Forcing software creators into a centralized registration scheme in order to publish and distribute their works is as egregious as forcing writers and artists to register with a central authority in order to be able to distribute their creative works. It is an offense to the core principles of free speech and thought that are central to the workings of democratic societies around the world.

By tying application identifiers to personal ID checks and fees, Google is building a choke point that restricts competition and limits user freedom. It must find a solution which preserves user rights, freedom of choice, and a healthy, competitive ecosystem.

What do we propose?

Section titled “What do we propose?”

Regulatory and competition authorities should look carefully at Google’s proposed activities, and ensure that policies designed to improve security are not abused to consolidate monopoly control. We urge regulators to safeguard the ability of alternative app stores and open-source projects to operate freely, and to protect developers who cannot or will not comply with exclusionary registration schemes and demands for personal information.

If you are a developer or user who values digital freedom, you can help. Write to your Member of Parliament, Congressperson or other representative, sign petitions in defense of sideloading and software freedom, and contact the European Commission’s Digital Markets Act (DMA) team to express why preserving open distribution matters. By making your voice heard, you help defend not only F-Droid, but the principle that software should remain a commons, accessible and free from unnecessary corporate gatekeeping.

Apple DMA Compliance Workshop

- 6 min Lesezeit - 1093 Wörter

Update: The video for the workshop has been made available at https://webcast.ec.europa.eu/compliance-with-the-dma-apple-2024-03-18. I’ve updated the blog post with timecodes for each of the questions and answers listed herein.

On March 18th I attended an EC-hosted workshop1 in Brussels on Apple’s compliance measures for the Digital Markets Act. It was a grueling 8-hour affair in a hot windowless room. There were around 75 attendees by my count, from a wide cross-section of organizations, few of whom seemed to feel that Apple was upholding the letter and spirit of the law in their compliance efforts.

Apple’s team of three, headed by Kyle Andeer (formerly an FTC trial lawyer), gamely managed to fend off the barrage, mostly by appealing to Apple’s paramount respect for “user security, privacy and safety” over and over again. The questions tended to be hostile and self-serving, and the responses tended to be vacuous, non-committal, and lacking any technical substance. In short, it went as one might expect.

Questioners were selected randomly from the attendees (both in-person and online). I managed to get two in. Following are my questions and their responses (pulled out of a whisper-generated transcript from the video, which can be accessed here).

Section titled “Question (Marc Prud’hommeaux, the App Fair Project) [12:25:41] (transcript link ↗):”

Hi, my name is Marc Prud’hommeaux, and I’m here representing the nonprofit App Fair Project, which is building an app marketplace to create and distribute free and open source apps as non-commercial digital public goods.

To be approved for an iPhone app marketplace entitlement, Apple is currently requiring that an organization, either 1: have been an Apple developer program member for two years and have an app that has been downloaded one million times in the EU in the previous year.

We’ve been a developer program member since April of 2022, but it’s impossible for us to satisfy the download count requirement because the web browser app that we submitted that year was rejected by Apple.

Option number 2: provide a one million euro standby letter of credit from an A-rated institution as has been discussed.

That number presents a discriminatory and insurmountable barrier to a nonprofit organization such as ours.

I’ve requested an exemption from our Apple representative and was denied.

My question is, since nonprofit organizations are exempt from the core technology fee, what is the rationale for requiring any letter of credit at all?

And what is the objective fairness and reasonableness standard that prevents Apple from increasing that number to 10 million euros or 100 million euros or some arbitrarily high amount that would effectively exclude all alternative app marketplaces at some point in the future?

Section titled “Answer (Kyle Andeer, Apple Vice President of Products and Regulatory Law) [12:33:24] (transcript link ↗):”

Again, when we think about alternative marketplaces and this was something we thought about for a long period of time, we wanted to assure that we had credible and accountable operators of stores and we want to have a single set of objective criteria.

We did not want to have special deals.

We did not want to have special assessments because as soon as you do that, you open yourself up to charges of discrimination.

And so what we focused on was what is a set of criteria that we could apply to make sure that the operators of these stores were credible and accountable and responsible.

And those were the two criteria that we established in addition to some of the other things I talked about, which is the other commitments, whether it’s engaged and ongoing monitoring of fraud to comply with laws like the DSA or the GDPR to publishing transparent data collection policies.

All these other things are important, but at the end of the day, if you don’t have an accountable and responsible operator, then those things mean nothing.

And so what we tried to do, and again, I think I answered this in response to an earlier question, we looked to find criteria that would allow us to have some confidence that the operator is someone we can trust to operate a store in the best interest of our users.

There may be others, and so we welcome feedback about what other criteria could we use to accomplish the goal that we’ve set out.

So we’re going to continue and see how things emerge.

Clearly, it hasn’t been an issue for a number of different developers, some of which we’ve heard from today, some of which we know are out there in terms of being able to secure the line of credit to allow them to enter this program.

Section titled “Question (Marc Prud’hommeaux, the App Fair Project) [16:04:26] (transcript link ↗):”

Hi, Marc Prud’hommeaux from the App Fair Project.

The specific apps that people install and run, including where and when they launch them, can be considered sensitive information when it comes to political and social activity, women’s health and free speech.

Does Apple track personally identifiable information about which apps are installed from third-party marketplaces and where and when they are when the apps are launched?

If so, Apple may be compelled to disclose this information to any of the various legal jurisdictions they operate in.

This could jeopardize vulnerable users.

Will this app installation launch activity still be reported to Apple, even when they opt out of sharing analytics with Apple?

Section titled “Answer (Gary Davis, Apple Data Protection Officer) [16:08:24] (transcript link ↗):”

In that instance, I’m going to somewhat highlight Apple track record in relation to responding to requests from law enforcement where we consider that the requests are disproportionate or inappropriate and clearly in such circumstances we have shown that we will raise questions about those requests and where appropriate pushback.

Obviously, if a request is lawful and is proportionate, we do our best to assist law enforcement in those circumstances.

Where we do have personal data associated with the download of an app, it is simply the download of an app.

It doesn’t indicate anything about usage.

We do not collect any information about your individual usage of an app in a personally identifiable way.

Some will come from analytics that is shared with developers, but that’s across the population of users, not individual users.

And the same installed information that we have from the App Store will be available for app marketplace downloads as well.

Footnotes

Section titled “Footnotes”

  1. https://digital-markets-act.ec.europa.eu/events-poolpage/apple-dma-compliance-workshop-2024-03-18_en